jprdonnelly/docs
1
0
Fork 0
mirror of synced 2025-12-29 09:04:39 -05:00
Code Issues Projects Releases Wiki Activity
Files
bbae7067d4b9fec855648c10255272bb80788b8d
docs/data/release-notes/enterprise-server/3-7/2.yml
Matt Pollard bbae7067d4 Release note bug fixes for 2023-04-17 (#36411)
2023-04-19 06:01:42 +00:00

43 lines
5.4 KiB
YAML
Raw Blame History

date: '2022-12-13'
sections:
security_fixes:
- |
**HIGH**: A path traversal vulnerability was identified in GitHub Enterprise Server that allowed remote code execution when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the instance. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/) and has been assigned [CVE-2022-46256](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46256).
bugs:
- A race condition blocked upgrades to GitHub Enterprise Server 3.6 or later until a site administrator retried the upgrade.
- When a site administrator ran the `ghe-repl-status` command on a cache replica via the administrative shell (SSH), the command incorrectly reported overall Git and Alambic cluster replication status information as if it pertained only to cache replication.
- When a site administrator ran the `ghe-repl-sync-ca-certificates` command from an instances primary node via the administrative shell (SSH), the command only replicated CA certificates from the instances primary node to a single replica node. The command did not replicate the certificates to all available replica nodes.
- In a high availability configuration, after promotion of a replica to be the primary node, a site administrator could not force replication to stop on a secondary replica node using the `ghe-repl-stop -f` command.
- When using repository caching with an instance in a high availability configuration, if a Git client used SSH instead of HTTPS for a repositorys remote URL, Git LFS would fetch objects from the instances primary node instead of the appropriate cache replica node.
- Installation of GitHub Enterprise Server on the VMware ESXi hypervisor failed due to the generation of an OVA file with an invalid capacity value.
- When users performed an operation using the API, GitHub Enterprise Server enforced repository size quotas even when disabled globally.
- In some cases, searches via the API returned a `500` error.
- Adding a collaborator to a user-owned fork of a private, organization-owned repository with triage, maintain, or custom access resulted in a `500` error.
- In some cases, the page for setting up code scanning would erroneously report that GitHub Actions was not configured for the instance.
- Dismissing a Dependabot alert that contained certain characters could result in a `400` error.
- After a user's account was deleted from the instance, image attachments that the user uploaded in comments were no longer visible in the web interface.
- On an instance that uses SAML for authentication, the **Configure SSO** dropdown menu appeared erroneously for personal access tokens and SSH keys.
- An upgrade from GitHub Enterprise Server 3.5 to 3.7 could fail because the instance had not yet purged deleted repositories.
- In a high availability or repository caching configuration, Unicorn services on nodes other than the primary node were unable to send log events to the primary node.
- Fixes a bug in which a GHES log file could get filled very quickly and cause the root drive to run out of free space.
- When viewing code scanning results for Ruby, an erroneous beta label appeared.
changes:
- After an enterprise owner enables Dependabot alerts, GitHub Enterprise Server enqueues the synchronization of advisory data to ensure hourly updates from GitHub.com.
- A user's list of recently accessed repositories no longer includes deleted repositories.
- '{% data reusables.release-notes.scim-custom-mappings-supported-change %}'
known_issues:
- On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user.
- Custom firewall rules are removed during the upgrade process.
- When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
- The {% data variables.product.prodname_registry %} npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
- Actions services need to be restarted after restoring an instance from a backup taken on a different host.
- In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.
- In some cases, users cannot convert existing issues to discussions.
- During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
- '{% data reusables.release-notes.repository-inconsistencies-errors %}'
- '{% data reusables.release-notes.babeld-max-threads-performance-issue %}'
- '{% data reusables.release-notes.new-subdomains-missing-from-management-console %}'
- '{% data reusables.release-notes.scim-saml-tokens-known-issue %}'
- '{% data reusables.release-notes.git-push-known-issue %}'
- '{% data reusables.release-notes.replication-commands-in-maintenance-mode-known-issue %}'
Reference in New Issue View Git Blame Copy Permalink